Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

[rjfvillarosa]

Quote:

Open the Windows Update troubleshooter by clicking the Start button, and then clicking Control Panel. In the search box, type troubleshooter, and then click Troubleshooting. Under System and Security, click Fix problems with Windows Update.

These instructions followed by a restart just restored the Windows Update feature on a Windows7 machine that was very heavily infected.

[lankystreak]

wow this thread is a lifesaver.

thanks to Panama Red for the unhide.exe, it worked a treat.

this is the first system i have fixed for a customer where desktop, start menu & every folder were all empty after removing virus/trojan. i did sus it out though & enabled all hidden folders to be viewed from the control panel link, but decided to use google for further help.

[Vgolfmaster]

Hi guys,

GREAT thread, thanks for all the tips. I had 2 pc's this weekend that had issues discussed here, and this was a great resource for getting these things up and running. First one I did on my own, 2nd one I found this thread first, and wish I had found it earlier, lol. The first one I did had Vista on it, and I am still getting an error that it can't perform windows updates. Tried .dll registration and that didn't do the trick. After reading this thread I have one more option to try - I had myself convinced it was because Vista is no longer supported, but maybe it isn't that simple....

[Vgolfmaster]

If I could ask a related follow up to this thread, please:

Both of the computers I am currently cleaning also have displayed some odd behavior in relation to windows updates. I am currently on a machine with Win7 home premium, and windows updates will not launch using the icon in the taskbar. I can open it via control panel, and it opens normally and is currently installing updates, but if I try to use the taskbar icon, it does nothing. It is also very finicky even minimizing and restoring the update window.

Anyone know if any of these viral attacks are somehow reconfiguring the updates applet, or how to correct these behaviors?

[David M]

I don't have that in my task bar at all. Perhaps delete what you have and reinstall it? I'm just guessing. The important thing is that you are still able to do your OS updates.

[Vgolfmaster]

Hi David,

Thanks for the reply. I guess I am left wondering if this behavior points to a 'not 100% clean' system is my only question. Well, that and I know it is supposed to work, and because it doesn't, my job isn't done lol.

I also have an issue with Internet Explorer not opening on this same machine. Just downloaded Firefox to a flash drive and installed it, and it works fine. IE just won't open, and I have the same issues-is this thing really clean yet.....

[David M]

I have not read back over all the previous posts so I assume you have done scans in Safe Mode with MSE and MalwareBytes and have done a HijackThis scan?

If something is still preventing you from re-installing or loading the software you need you can always slave your suspected C: drive to another computer, boot it up in Safe Mode and then do the same scans I just described.

If this does not work then the only alternative I can think of is to nuke and pave. Perhaps others will have some more ideas?

[jdeb]

It sounds like one: a failed Windows update somewhere along the line, two: Corrupt IE Explorer, or three: Maleware.

I would try Microsoft system sweeper and see if it finds anything.

You will have to burn a CD and then boot from it.

Microsoft Standalone System Sweeper Beta | Microsoft Connect

If clean, you could also attack it this way provided you are not getting any error messages with the updates.

How do I uninstall or remove Internet Explorer as a troubleshooting step?

How to solve Internet Explorer 8 installation problems

[Kilsally]

A really nasty virus combination of viruses here. Most programs were blocked and fake anti virus program popping up and hard rive fail error messages. Even in safe mode Malwarebytes and other anti virus were blocked, but managed to get spybot and iobit systemcare to run and remove some malware. Also ran Kapersky rescue CD which picked up some more and then was able to run Malwarebytes which got even more. However desktop icons and start menu icons were still gone and the C drive appeared as empty with no icons although the hard drive showed several GB of data on the drive. unhide.exe from bleeping computers brought back the c drive icons/folders and some start menu items. Moving the folder from the solution in #21 helped (were in said location) but many start menu items still remain empty ie i have sage account back in the start menu now but when you go to it the sub menu just shows `empty`. Going to try repair install.

[leisenj]

I'm pretty sure I've got the virus(es) y'all are describing. Fake antivirus alerts and everything on my C drive is hidden. I was able to run malwarebytes to find and delete a bunch of trojans. Ran it again to be safe and it came out clean. I also downloaded the recommended unhide.exe, but my problem now is that I can't get unhide.exe to run... nothing happens when I open it. I'm guessing it's being blocked by a virus...? Should I download and run another antivirus scanner? Would this enable me to run unhide.exe and get all my files/programs back?

[Nuclear Krusader]

Heh, I wish I had seen this thread yesterday: in the last 5 days I've got two machines with the same issue. The Windows 7 one was repairable, the Windows XP one required a full reinstallation as the repair reinstallation would not work.

[LilC]

Hello, this happened to me on an external hard drive. Will the unhide.exe program be able to fix this or it only repairs files located in the C: drive? If not, can you suggest a solution? Thanks!

[Panama Red]

Quote:

Originally Posted by LilC Hello, this happened to me on an external hard drive. Will the unhide.exe program be able to fix this or it only repairs files located in the C: drive? If not, can you suggest a solution? Thanks!

Unhide.exe will clear your external too - as long as it's connected and powered up. I just did one yesterday.

Additionally, I've been seeing a new variation with this infection. Often times the Start Menu area is blank when it should be showing "Computer" ,"Pictures", "Music", etc. What has happened is the virus changes the settings so none of those areas are shown. To fix it, simply right click on the task bar, select Properties>Start Menu>Customize button. There you will find the options to show or not show the items of your choice.

[MarkHark]

I am one more person to register here in order to thank you all. The tips shown in both this thread and the other one linked by PanamaRed have helped sort most of my problems.

I'll share my experience in case it may help somebody else.
I've been getting some flash update messages when restarting firefox for about a week, but just clicked 'cancel' each time. It looked legitimate, and Avira didn't complain about it, so I didn't suspect initially. A spybot-S&D search revealed nothing. Hijackthis showed some strange entries marked 'file missing' which refused to go away (and still do), but all of them seemed to link to legitimate apps.

Yesterday, right after googling Bulldozer motherboards and clicking on a couple links, Firefox started behaving odd, then crashed on me. Another run of Hijackthis also crashed, and PC seemed slower than usual, with high cpu activity from svchost.exe. On reboot, task manager was gone, as well as start menu and wallpaper; also, Daemon Tools showed some error msg and refused to start. Firefox started but crashed again in less than a minute. Same for hijackthis.

Restarting on safe mode did not help with task manager or start menu, but a full-system Avira scan found about 16 infected files.
After removal>>restart, I could use firefox again. Running a few other programs from inside windows explorer also looked OK. Tweaking a bit on taskbar properties let me restore basic start menu functionality, and get Trashcan and Computer icons back. Restoring wallpaper was also a breeze, but nothing I could think of could restore task manager or SM links. System restoration wouldn't complete. Tried 3 different restore points, only to get the same error message every time.

Eventually google helped me find the registry key where taskmgr was disabled, and Panama Red's post showed me where to look for the missing links. Running unhide.exe corrected most everything else, but I still have several missing links left to recover manually.

Also, a sfc check (Start>>Run>>cmd>>sfc.exe) reveals several system files to have been tampered with. Can't use the recover option though, unless I can get a proper Vista installation disk. Notebook came with the OS preinstalled, plus some hidden partition for factory-state recovery, but no standard installation disk. (Perhaps there's an option somewhere to generate a install disk image from this hidden partition? Must check on this later).

So the computer is running mostly OK at this time, but I still believe this will eventually have to go the nuke>>restore>> reinstall_everything way. I'd like to say thanks again to all of you and congratulations on a job well done.

[mrwriter03]

I caught this virus the other day and I just wanted to say how thankful I am to you guys for the unhide app. It saved my life. I just have one little issue left and I didn't see it pop up in other posts. Before the infection my harddrive space was somewhere around the 170GB area, now after the infection its down to about 50GB. Now what I did was I restored my computer to a previous state before the infection (I thought that would unhide my stuff) and after I did that I noticed the memory changed. Any ideas??

[Panama Red]

Check in My Computer (or Computer) and see if you now have a new partition/hard drive showing up. I ran into one recently where the owner had no idea how a new partition had been created but his hard drive had been divided and the C: drive was reduced to barely functional size. If you do find a new partition, check and see what files if any have been moved there.

[Nuclear Krusader]

Try also chkdsk to fix the incorrectly reported available space problem.

[Tin]

Im sure glad this thread was at the top of the heap last night. From the looks of it, my wifes computer got this nasty infection as well. When my wife got home from work the other day, nothing was visible in her start menu other than a few folders, and the desktop wallpaper was completely black. My stepsons story, "All I did was log in to Facebook" (yeah right!). We all know too well the browsing habits of teenage boys. I ran a Live distro on it with ClamAV and got most of the crap out. Then ran Malwarebytes and found a couple more. Finally, Im running MSE in Safe Mode right now to see if anything else pops up. If it looks clean, I'll run unhide.exe as linked above.

[Nuclear Krusader]

I wouldn't dismiss his argument. I got one machine infected here last week on which all the customer did was log onto Shamebook. He said that the previous night he logged onto his account on that site and saw a mysterious message; not knowing what it was or whom it had come from he went to click on the X to delete it, but missed the X and clicked on the message instead! The computer shut off immediately! Would not turn back on or something. He brought the machine and I had him repeat what he had done the night before: it happened in the shop too: as soon as he logged onto his Shamebook account the machine turned itself off.

So I scanned the hard drive using my bench PC and removed whatever malware it found. After the removal I had him come back and log onto his account again: the message was gone and the machine was back to normal.

[mynna]

New here, pardon the informalz. I had to remove a TDSS and Trojan injection. It was a pain in the a** to say the least. All desktop icons disappeared, startmenu programs were gone. Just plain terrible. My friend recommended MalwareBytes by I could not get it to download updates. So I just ran it without the updates. It detected TrojanFakeAlert, but on reboot MalwareBytes was no longer accessible. My friend recommended that I run a Rescue disk from a computer repair shop in Hawaii site Free Anti Virus Software so I tried everything. The AVG and Microsoft Sweeper were the only ones that detected anything but it was an old Limewire folder I had. Out of frustration I tried to do a Repair of windows, but I think I messed that up too. I seen something about a service from Black Viper's Website but I dont understand how to do it, so I am stuck with a black screen, no deskop icons, and no programs in the start menu. I cant tell if my stuff is gone, but I just want to get my pictures back. Do you think I have lost everything or should I just take it to BestBuy? Im stuck.

[kilnsea]

Second client PC to come in for this type of virus - Win XP. unhide.exe worked perfectly, restored start menu items, MalwareBytes scan found infections, great. However, user's desktop icons still did not display. Checked linked thread regarding smtmp folder, to make sure the shortcuts/icons were in the right place, they were, just were not displaying and I could not manually add anything to the desktop.

I manually edited registry and found an odd/orphan entry (*.exe) under
HKLM/Software/Microsoft/Windows/CurrentVersion/Run

Once I deleted that, desktop icons reappeared. Might help someone else with the same problem.

[Panama Red]

Quote:

Originally Posted by kilnsea Second client PC to come in for this type of virus - Win XP. unhide.exe worked perfectly, restored start menu items, MalwareBytes scan found infections, great. However, user's desktop icons still did not display. Checked linked thread regarding smtmp folder, to make sure the shortcuts/icons were in the right place, they were, just were not displaying and I could not manually add anything to the desktop. I manually edited registry and found an odd/orphan entry (*.exe) under HKLM/Software/Microsoft/Windows/CurrentVersion/Run Once I deleted that, desktop icons reappeared. Might help someone else with the same problem.

Thanks for the tip!

[molotovwars]

[EDIT]: Using my home computer I am still able to see and access the hidden folders. I think my work computer was able to see hidden files, but not system files. Anyways I still have access to my files so the below post can be ignored.



I caught this virus a few days ago and found this thread. At that time I was still easily able to view my hidden folders and access all of my files and I did not take immediate action. The virus only seemed to affect my external drives (1 USB and 1 External Hard-drive). However, today I plugged my USB into my computer at work and my work computer's anti-virus software (Kaspersky) took over and really put me in rut.

Kaspersky detected the trojans embedded in each folder short cut and deleted them all. I currently have hidden files visible and I cannot see any of the original folders. All of the shortcuts are gone and I cannot access any of those files. In Kaspersky I checked for Quanantined files and there are none listed. By clicking the Quarantine tab I was able to get a list of all of the "disinfected" files from today. In that list there is an entry showing that the threat was detected and then right after a second entry showing that it was deleted.

The path of the file would be listed as something like "F:/yonsei presentation.lmk" I can click to restore that file (which Kaspersky then deletes right away).

I momentarily disabled Kaspersky and restored one of those infected short-cut folders. Previously clicking on that short-cut would still open the original folder even when I couldn't see it. Now I get an error saying that whatever the shortcut was linking to could not be found.

I've been searching online for the last hour and I don't know what to do. When I check the properties for my USB drive I am led to believe that the files are still there. It shows that of my 4GB capacity 3.20GB are being used. Hidden files are visible but there are no signs of my folder.

I ran the unhide.exe file linked to in this thread, but I had no success.

[Nuclear Krusader]

Those were the files that were infected. There is no way to disinfect them, that's why the AV deletes them right off the bat. You do NOT want to access those files on any machine.

[Katlaya]

I, too, just got the virus RUMRAHICILVEX.EXE yesterday when I ever soooo stupidly opened an email that I thought was from FedEx. WRONG! And I'm usually so careful. Well... let me tell you that I came to rue that day. I'm still on an old XPS 400 and Windows XP. I have had this computer since 2006 so that tells you how old it is and I've done amazingly well with it since I'm a computer freak at heart. I can't thank you guys enough for all you have unknowingly helped me with. This last revelation about the folders holding the start menu was the best ever! I have the wild thing subdued and now my desktop is back to snuff, but I can't seem to get my System Restore to work even though I can see the files are still there to revert back to. I wanted to take it back to early January and put everything back in place again. Whenever I click on it, it says "System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again." Did it redirect that .exe file to another file that the computer virus created? I did a search on the rstrui.exe file and their pf files. There are a hundred of them all saying the same thing when I click on it. Some are from the service pack updates that my computer has done. From what I can tell.. they were all created years ago. The only reason I can tell that this is not functioning as it should is that there was a registry change to keep it from functioning so you can't recover it. Anyone good with registry file adaptations? I don't have this function disabled and I have checked it several times to be sure. Any help with this little deal would be great! Thank you!!

[Panama Red]

I haven't personally done much with checking the Restore functioning after cleaning up after this pest. Can you create a NEW restore point?

[Katlaya]

No.. it won't allow me to even open the function without that pop up box giving me that response.

[Panama Red]

Have you been thru this?

Troubleshooting steps for issues when you try to use the System Restore tool in Windows XP

Here's another solution.

http://www.techsupportforum.com/foru...ed-153058.html

And a third option would be to run System File Checker. You'll need your XP disk for this one.

http://support.microsoft.com/kb/929833

[Katlaya]

Thank you for the great links! I'll check them out and see if any of those help.

[Katlaya]

So far, what I am getting is that the System Restore is no longer configured. Not sure how they did that one.